tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: 3.2.2 - handling requests for WEB-INF/*
Date Fri, 01 Jun 2001 16:20:28 GMT
On Fri, 1 Jun 2001, Peter S. Heijnen wrote:

> But, since the WEB-INF directory may be used internally, it is actually a
> nice place to stick some 'hidden' files.
> 
> Isn't there any way to distinguish internal requests from direct client
> requests? If not, the WEB-INF directory should be filtered at a lower level
> before the request is send to the CM.
> 
> > Read the specification, section 9.4:
> >
> > A special directory exists within the application hierarchy named
> "WEB-INF".
> > This directory
> > contains all things related to the application that aren't in the document
> > root of the application. It is
> > important to note that the WEB-INF node is not part of the public document
> > tree of the application.
> > No file contained in the WEB-INF directory may be served directly to a
> > client.
> 
> 
> 
> 

Correct behavior (also clarified more clearly in the 2.3 spec) includes
the following:

* Client requests for URIs like /WEB-INF/xxx (or /META-INF/xxx) are
  prohibited.

* Servlets can access application resources within these directories:

    URL url = getServletContext().getResource("/WEB-INF/web.xml");
    InputStream stream =
     getServletContext().getResourceAsStream("/WEB-INF/web.xml");

* Servlets can use a request dispatcher to forward/include a URI that
  is within WEB-INF (this is one way to keep people from directly
  accessing your JSP pages in an MVC-organized web app):

    RequestDispatcher rd =
     getServletContext().getRequestDispatcher("/WEB-INF/mypage.jsp");
    rd.forward(request, response);

* Servlets can use Class.getResource()/getResourceAsStream() and
  ClassLoader.getResource()/getResourceAsStream() to include unpacked
  resources in /WEB-INF/classes, or resources packaged in JAR files
  in /WEB-INF/lib.

* (2.3 requirement only) Classes and resources in /WEB-INF/classes
  override classes and resources with the same name under
  /WEB-INF/lib.

Craig McClanahan



Mime
View raw message